General
-
Target
a7b10c83d7f95867ba50ec6c6cace3347a8ac906c6a5fd0d5379fe54aa640b58N
-
Size
600KB
-
Sample
241106-162mhsygpc
-
MD5
0af109949c3f505614433bb241532ad0
-
SHA1
dba62ebfad2af8c4d7015daebe949fc23d648a43
-
SHA256
a7b10c83d7f95867ba50ec6c6cace3347a8ac906c6a5fd0d5379fe54aa640b58
-
SHA512
846383a34fbc014eb2d4f5de368ef50b954439b90db9196b2d9b4f8b53da793350496e40b8e5231e6c831ffa52d9d6e9442f843cdb19f150d5a4f63a1bed8163
-
SSDEEP
12288:6G4QbzjsO64b7cvsETjor20vipRugJQqPZnv2SGUbeAKYeGTYzwYzdqmxyKNnNqm:d4QbzgO64b7cvnDsgUdy2N
Malware Config
Extracted
xworm
5.0
hTiTQSR18tmk2nlC
-
install_file
wintousb.exe
Targets
-
-
Target
a7b10c83d7f95867ba50ec6c6cace3347a8ac906c6a5fd0d5379fe54aa640b58N
-
Size
600KB
-
MD5
0af109949c3f505614433bb241532ad0
-
SHA1
dba62ebfad2af8c4d7015daebe949fc23d648a43
-
SHA256
a7b10c83d7f95867ba50ec6c6cace3347a8ac906c6a5fd0d5379fe54aa640b58
-
SHA512
846383a34fbc014eb2d4f5de368ef50b954439b90db9196b2d9b4f8b53da793350496e40b8e5231e6c831ffa52d9d6e9442f843cdb19f150d5a4f63a1bed8163
-
SSDEEP
12288:6G4QbzjsO64b7cvsETjor20vipRugJQqPZnv2SGUbeAKYeGTYzwYzdqmxyKNnNqm:d4QbzgO64b7cvnDsgUdy2N
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-